Archive for the ‘HIPAA’ Category

Reminder: Compliance with HIPAA Is Important (and Mistakes are Costly)

July 14, 2017 Leave a comment

Compliance with HIPAA is critically important to covered entities and their business associates.   This is not new, but it is good to remember that noncompliance with HIPAA Privacy and Security rules can lead to enforcement action and the imposition of civil monetary penalties.

The HHS Office of Civil Rights investigates violations of health information privacy rights.  The HIPAA enforcement rule, which can be found at 45 CFR Part 160, Subparts C, D, and E, contains provisions for investigations and procedures for hearings.

The HHS OCR has been active in 2017.  After 6 months, there have been a number of  investigations of violations of HIPAA’s privacy rule.  Covered entities should review here the types of violations that have arisen and their resolution.

Here is a reminder of the types of things that covered entities and business associates should be doing:

  • Maintain up to date copies of HIPAA laws and regulations
  • Make sure Notice of Information Practices and Consent forms are and comply with laws and regulations (multiple languages?)
  • Designate an information privacy and security Officer
  • Make sure there are Business Associate Agreements in place (and signed)
  • Implement procedures for receiving, documenting, and investigating complaints
  • Maintain IT security software, backup system, and disaster recovery plan
  • Conduct risk assessments regularly
  • Document all operational processes and procedures
  • Implement procedures for breach notification
  • Update training of employees

HHS OCR has been conducting audits of covered entities and their business associates to assess compliance with HIPAA Privacy and Security Rules.  Audits of whom?  According to  HHS OCR —

Who Will Be Audited?

Every covered entity and business associate is eligible for an audit. These include covered individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a range of business associates of these entities. We expect covered entities and business associates to provide the auditors their full cooperation and support.

It’s important to remember to be careful and thorough in all dealings that implicate HIPAA.  Data breaches and fines are embarrassing and expensive.

Categories: HIPAA, Physician Practices

Federal Government Report Summarizes Health Care Privacy Compliance Efforts

August 31, 2014 Leave a comment

The blogger below summarizes recent reports from HHS on privacy issues. These reports demonstrate (at least, to me) that protecting the privacy of patient health information in the manner prescribed by the HIPAA (and applicable state) laws and regulations may be largely unattainable.  I have concluded that privacy does not merit the emphasis being placed on it or the financial burdens required of the health care industry in order to comply.  The task is a lot like filling up a sieve. There are more important things to worry about in American healthcare.

Wyatt HiTech Law Blog

government buildingThe U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

–“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report); and

–“Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both of OCR’s reports (as well as previous annual reports) may be accessed here. This post discusses the Compliance Report. We summarized the Breach Report in a separate post entitled “Federal Government Report on Data Breaches in Health Care.”

OCR is the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The Compliance Report summarizes OCR’s compliance and enforcement activity with respect…

View original post 859 more words

Online access: Portals connect patients with their medical info

July 26, 2014 Leave a comment

“We do everything online, book airline tickets, paying bills,” said Tupelo family physician Dr. Brad Crosswhite, who helped pilot the North Mississippi Medical Clinic portal in 2012. “Why not handle medicine the same way?”

The secure, free services give access to medication histories, visit summaries, lab results and reminders about upcoming appointments. On most hospital portals, patients can see their discharge instructions. With the clinic portals, patients can request refills and communicate securely with the staff.

“The ultimate goal is to have patients more engaged with their care.”

This is from an online article from Online access: Portals connect patients with their medical info.

Yes, of course, this is a good thing.  But couldn’t it be better.  It’s time we stopped being so apoplectic about privacy and security, and more focused on how to get better patient engagement in their care.  HIPAA has run a muck and clearly makes things unintentionally harder than they need to be.  As with most government regulations, compliance is more costly and disruptive than the problem being addressed.  No one disputes the value of keeping healthcare records private, but that goal needs to be balanced against the real goal of improving healthcare.

%d bloggers like this: